Douglas Muth on 10 Dec 2008 10:18:48 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders

On Wed, Dec 10, 2008 at 12:00 AM, John Von Essen <> wrote:
> But... if we all leave SSH open with strong passwords, the brute force
> bots will have a ton of hosts to waste their time on, and eventually brute
> force ssh will become boring and a waste of cpu time.

Why not do the following:

1) Move "real" SSH service to another port

2) Build a "fake SSH" daemon to listen on port 22, that does nothing
but /dev/null information that is sent to it and return an "invalid
password" response on every login attempt.

#2 wouldn't take up a whole lot of memory or CPU, since it really
isn't *doing* anything.  But it would go a long way in wasting the
time of botnets that are trying to get in.

For bonus points, such a "fake" daemon could also have options to
sleep() for an abnormally long time before giving out an "invalid
password" response, further tying up attacking machines.

I wouldn't necessarily want to do this on a production server at the
office, but it's the sort of thing I would have no problem installing
on my personal mail server.

-- Doug
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --